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Introduction 

The "Principles of Federal Prosecution of Business Organizations" in the Justice Manual 
describe specific factors that prosecutors should consider in conducting an investigation of a 
corporation, determining whether to bring charges, and negotiating plea or other agreements. 
JM 9-28.300. These factors include "the adequacy and effectiveness of the corporation's 
compliance program at the time of the offense, as well as at the time of a charging decision" and 
the corporation's remedial efforts "to implement an adequate and effective corporate 
compliance program or to improve an existing one." JM 9-28.300 (citing JM 9-28.800 and JM 9- 
28.1000). Additionally, the United States Sentencing Guidelines advise that consideration be 
given to whether the corporation had in place at the time of the misconduct an effective 
compliance program for purposes of calculating the appropriate organizational criminal fine. See 
U.S.S.G. §§ 8B2.1, 8C2.5(f), and 8C2.8(11). Moreover, the memorandum entitled "Selection of 
Monitors in Criminal Division Matters" issued by Assistant Attorney General Brian Benczkowski 
(hereafter, the "Benczkowski Memo") instructs prosecutors to consider, at the time of the 
resolution, "whether the corporation has made significant investments in, and improvements to, 
its corporate compliance program and internal controls systems" and "whether remedial 
improvements to the compliance program and internal controls have been tested to 
demonstrate that they would prevent or detect similar misconduct in the future" to determine 
whether a monitor is appropriate. 

This document is meant to assist prosecutors in making informed decisions as to whether, 
and to what extent, the corporation's compliance program was effective at the time of the 
offense, and is effective at the time of a charging decision or resolution, for purposes of 
determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if 
any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., 
monitorship or reporting obligations). 

Because a corporate compliance program must be evaluated in the specific context of a 
criminal investigation, the Criminal Division does not use any rigid formula to assess the 
effectiveness of corporate compliance programs. We recognize that each company's risk profile 
and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make an 
individualized determination in each case. There are, however, common questions that we may 
ask in the course of making an individualized determination. As the Justice Manual notes, there 
are three "fundamental questions" a prosecutor should ask: 
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1. "Is the corporation's compliance program well designed?" 

2. "Is the program being applied earnestly and in good faith?" In other words, is the 
program being implemented effectively? 

3. "Does the corporation's compliance program work" in practice? 

See JM §9-28.800. 

In answering each of these three "fundamental questions," prosecutors may evaluate the 
company's performance on various topics that the Criminal Division has frequently found 
relevant in evaluating a corporate compliance program. The sample topics and questions below 
form neither a checklist nor a formula. In any particular case, the topics and questions set forth 
below may not all be relevant, and others may be more salient given the particular facts at issue. 1 
Even though we have organized the topics under these three fundamental questions, we 
recognize that some topics necessarily fall under more than one category. 

I. Is the Corporation's Compliance Program Well Designed? 

The "critical factors in evaluating any program are whether the program is adequately 
designed for maximum effectiveness in preventing and detecting wrongdoing by employees and 
whether corporate management is enforcing the program or is tacitly encouraging or pressuring 
employees to engage in misconduct." JM 9-28.800. 

Accordingly, prosecutors should examine "the comprehensiveness of the compliance 
program," JM 9-28.800, ensuring that there is not only a clear message that misconduct is not 
tolerated, but also policies and procedures - from appropriate assignments of responsibility, to 
training programs, to systems of incentives and discipline - that ensure the compliance program 
is well-integrated into the company's operations and workforce. 

A. Risk Assessment 

The starting point for a prosecutor's evaluation of whether a company has a well- 
designed compliance program is to understand the company's business from a commercial 
perspective, how the company has identified, assessed, and defined its risk profile, and the 
degree to which the program devotes appropriate scrutiny and resources to the spectrum of 
risks. 


Prosecutors should consider whether the program is appropriately "designed to detect 
the particular types of misconduct most likely to occur in a particular corporation's line of 
business" and "complex regulatory environment[]." JM 9-28.800. 2 For example, prosecutors 
should consider whether the company has analyzed and addressed the varying risks presented 
by, among other factors, the location of its operations, the industry sector, the competitiveness 
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of the market, the regulatory landscape, potential clients and business partners, transactions 
with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and 
entertainment expenses, and charitable and political donations. 

Prosecutors should also consider "[t]he effectiveness of the company's risk assessment 
and the manner in which the company's compliance program has been tailored based on that 
risk assessment" and whether its criteria are "periodically updated." See, e.g., JM 9-47-120(2)(c); 
U.S.S.G. § 8B2.1(c) ("the organization shall periodically assess the risk of criminal conduct and 
shall take appropriate steps to design, implement, or modify each requirement [of the 
compliance program] to reduce the risk of criminal conduct"). 

Prosecutors may credit the quality and effectiveness of a risk-based compliance program 
that devotes appropriate attention and resources to high-risk transactions, even if it fails to 
prevent an infraction in a low-risk area. Prosecutors should therefore consider, as an indicator 
of risk-tailoring, "revisions to corporate compliance programs in light of lessons learned." JM 9- 
28.800. 

□ Risk Management Process - What methodology has the company used to identify, 
analyze, and address the particular risks it faces? What information or metrics has 
the company collected and used to help detect the type of misconduct in question? 
How have the information or metrics informed the company's compliance program? 

□ Risk-Tailored Resource Allocation - Does the company devote a disproportionate 
amount of time to policing low-risk areas instead of high-risk areas, such as 
questionable payments to third-party consultants, suspicious trading activity, or 
excessive discounts to resellers and distributors? Does the company give greater 
scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract 
with a government agency in a high-risk country) than more modest and routine 
hospitality and entertainment? 

□ Updates and Revisions - Is the risk assessment current and subject to periodic 
review? Have there been any updates to policies and procedures in light of lessons 
learned? Do these updates account for risks discovered through misconduct or other 
problems with the compliance program? 

B. Policies and Procedures 

Any well-designed compliance program entails policies and procedures that give both 
content and effect to ethical norms and that address and aim to reduce risks identified by the 
company as part of its risk assessment process. As a threshold matter, prosecutors should 
examine whether the company has a code of conduct that sets forth, among other things, the 
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company's commitment to full compliance with relevant Federal laws that is accessible and 
applicable to all company employees. As a corollary, prosecutors should also assess whether the 
company has established policies and procedures that incorporate the culture of compliance into 
its day-to-day operations. 

□ Design - What is the company's process for designing and implementing new policies 
and procedures, and has that process changed over time? Who has been involved in 
the design of policies and procedures? Have business units been consulted prior to 
rolling them out? 

□ Comprehensiveness - What efforts has the company made to monitor and 
implement policies and procedures that reflect and deal with the spectrum of risks it 
faces, including changes to the legal and regulatory landscape? 

□ Accessibility - How has the company communicated its policies and procedures to all 
employees and relevant third parties? If the company has foreign subsidiaries, are 
there linguistic or other barriers to foreign employees' access? 

□ Responsibility for Operational Integration - Who has been responsible for 
integrating policies and procedures? Have they been rolled out in a way that ensures 
employees' understanding of the policies? In what specific ways are compliance 
policies and procedures reinforced through the company's internal control systems? 

□ Gatekeepers - What, if any, guidance and training has been provided to key 
gatekeepers in the control processes (e.g., those with approval authority or 
certification responsibilities)? Do they know what misconduct to look for? Do they 
know when and how to escalate concerns? 

C. Training and Communications 

Another hallmark of a well-designed compliance program is appropriately tailored 
training and communications. 

Prosecutors should assess the steps taken by the company to ensure that policies and 
procedures have been integrated into the organization, including through periodic training and 
certification for all directors, officers, relevant employees, and, where appropriate, agents and 
business partners. Prosecutors should also assess whether the company has relayed information 
in a manner tailored to the audience's size, sophistication, or subject matter expertise. Some 
companies, for instance, give employees practical advice or case studies to address real-life 
scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. 
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Prosecutors should also assess whether the training adequately covers prior compliance 
incidents and how the company measures the effectiveness of its training curriculum. 

Prosecutors, in short, should examine whether the compliance program is being 
disseminated to, and understood by, employees in practice in order to decide whether the 
compliance program is "truly effective." JM 9-28.800. 

□ Risk-Based Training - What training have employees in relevant control functions 
received? Has the company provided tailored training for high-risk and control 
employees, including training that addresses risks in the area where the misconduct 
occurred? Have supervisory employees received different or supplementary training? 
What analysis has the company undertaken to determine who should be trained and on 
what subjects? 

□ Form/Content/Effectiveness of Training - Has the training been offered in the form and 
language appropriate for the audience? Is the training provided online or in-person (or 
both), and what is the company's rationale for its choice? Has the training addressed 
lessons learned from prior compliance incidents? How has the company measured the 
effectiveness of the training? Have employees been tested on what they have learned? 
How has the company addressed employees who fail all or a portion of the testing? 

□ Communications about Misconduct - What has senior management done to let 
employees know the company's position concerning misconduct? What communications 
have there been generally when an employee is terminated or otherwise disciplined for 
failure to comply with the company's policies, procedures, and controls (e.g., anonymized 
descriptions of the type of misconduct that leads to discipline)? 

□ Availability of Guidance - What resources have been available to employees to provide 
guidance relating to compliance policies? How has the company assessed whether its 
employees know when to seek advice and whether they would be willing to do so? 

D. Confidential Reporting Structure and Investigation Process 

Another hallmark of a well-designed compliance program is the existence of an efficient 
and trusted mechanism by which employees can anonymously or confidentially report 
allegations of a breach of the company's code of conduct, company policies, or suspected or 
actual misconduct. Prosecutors should assess whether the company's complaint-handling 
process includes pro-active measures to create a workplace atmosphere without fear of 
retaliation, appropriate processes for the submission of complaints, and processes to protect 
whistleblowers. Prosecutors should also assess the company's processes for handling 
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investigations of such complaints, including the routing of complaints to proper personnel, timely 
completion of thorough investigations, and appropriate follow-up and discipline. 

Confidential reporting mechanisms are highly probative of whether a company has 
"established corporate governance mechanisms that can effectively detect and prevent 
misconduct." JM 9-28.800; see also U.S.S.G. § 8B2.1(b)(5)(C) (an effectively working compliance 
program will have in place, and have publicized, "a system, which may include mechanisms that 
allow for anonymity or confidentiality, whereby the organization's employees and agents may 
report or seek guidance regarding potential or actual criminal conduct without fear of 
retaliation"). 

□ Effectiveness of the Reporting Mechanism - Does the company have an 
anonymous reporting mechanism, and, if not, why not? How is the reporting 
mechanism publicized to the company's employees? Has it been used? How has 
the company assessed the seriousness of the allegations it received? Has the 
compliance function had full access to reporting and investigative information? 

□ Properly Scoped Investigations by Qualified Personnel - How does the company 
determine which complaints or red flags merit further investigation? How does 
the company ensure that investigations are properly scoped? What steps does 
the company take to ensure investigations are independent, objective, 
appropriately conducted, and properly documented? How does the company 
determine who should conduct an investigation, and who makes that 
determination? 

□ Investigation Response - Does the company apply timing metrics to ensure 
responsiveness? Does the company have a process for monitoring the outcome 
of investigations and ensuring accountability for the response to any findings or 
recommendations? 

□ Resources and Tracking of Results - Are the reporting and investigating 
mechanisms sufficiently funded? How has the company collected, tracked, 
analyzed, and used information from its reporting mechanisms? Does the 
company periodically analyze the reports or investigation findings for patterns of 
misconduct or other red flags for compliance weaknesses? 

E. Third Party Management 

A well-designed compliance program should apply risk-based due diligence to its third- 
party relationships. Although the degree of appropriate due diligence may vary based on the size 
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and nature of the company or transaction, prosecutors should assess the extent to which the 
company has an understanding of the qualifications and associations of third-party partners, 
including the agents, consultants, and distributors that are commonly used to conceal 
misconduct, such as the payment of bribes to foreign officials in international business 
transactions. 

Prosecutors should also assess whether the company knows its third-party partners' 
reputations and relationships, if any, with foreign officials, and the business rationale for needing 
the third party in the transaction. For example, a prosecutor should analyze whether the 
company has ensured that contract terms with third parties specifically describe the services to 
be performed, that the third party is actually performing the work, and that its compensation is 
commensurate with the work being provided in that industry and geographical region. 
Prosecutors should further assess whether the company engaged in ongoing monitoring of the 
third-party relationships, be it through updated due diligence, training, audits, and/or annual 
compliance certifications by the third party. 

In sum, a company's third-party due diligence practices are a factor that prosecutors 
should assess to determine whether a compliance program is in fact able to "detect the particular 
types of misconduct most likely to occur in a particular corporation's line of business." JM 9- 
28.800. 

□ Risk-Based and Integrated Processes - How has the company's third-party 
management process corresponded to the nature and level of the enterprise risk 
identified by the company? How has this process been integrated into the relevant 
procurement and vendor management processes? 

□ Appropriate Controls - How does the company ensure there is an appropriate 
business rationale for the use of third parties? If third parties were involved in the 
underlying misconduct, what was the business rationale for using those third parties? 
What mechanisms exist to ensure that the contract terms specifically describe the 
services to be performed, that the payment terms are appropriate, that the described 
contractual work is performed, and that compensation is commensurate with the 
services rendered? 

□ Management of Relationships - How has the company considered and analyzed the 
compensation and incentive structures for third parties against compliance risks? 
How does the company monitor its third parties? Does the company have audit rights 
to analyze the books and accounts of third parties, and has the company exercised 
those rights in the past? How does the company train its third party relationship 
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managers about compliance risks and how to manage them? How does the company 
incentivize compliance and ethical behavior by third parties? 

□ Real Actions and Consequences - Does the company track red flags that are identified 
from due diligence of third parties and how those red flags are addressed? Does the 
company keep track of third parties that do not pass the company's due diligence or 
that are terminated, and does the company take steps to ensure that those third 
parties are not hired or re-hired at a later date? If third parties were involved in the 
misconduct at issue in the investigation, were red flags identified from the due 
diligence or after hiring the third party, and how were they resolved? Has a similar 
third party been suspended, terminated, or audited as a result of compliance issues? 

F. Mergers and Acquisitions (M&A) 

A well-designed compliance program should include comprehensive due diligence of any 
acquisition targets. Pre-M&A due diligence enables the acquiring company to evaluate more 
accurately each target's value and negotiate for the costs of any corruption or misconduct to be 
borne by the target. Flawed or incomplete due diligence can allow misconduct to continue at 
the target company, causing resulting harm to a business's profitability and reputation and 
risking civil and criminal liability. 

The extent to which a company subjects its acquisition targets to appropriate scrutiny is 
indicative of whether its compliance program is, as implemented, able to effectively enforce its 
internal controls and remediate misconduct at all levels of the organization. 

□ Due Diligence Process - Was the misconduct or the risk of misconduct identified 
during due diligence? Who conducted the risk review for the acquired/merged 
entities and how was it done? What is the M&A due diligence process generally? 

□ Integration in the M&A Process - How has the compliance function been integrated 
into the merger, acquisition, and integration process? 

□ Process Connecting Due Diligence to Implementation - What has been the 
company's process for tracking and remediating misconduct or misconduct risks 
identified during the due diligence process? What has been the company's process 
for implementing compliance policies and procedures at new entities? 
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II. Is the Corporation's Compliance Program Being Implemented Effectively? 

Even a well-designed compliance program may be unsuccessful in practice if 
implementation is lax or ineffective. Prosecutors are instructed to probe specifically whether a 
compliance program is a "paper program" or one "implemented, reviewed, and revised, as 
appropriate, in an effective manner." JM 9-28.800. In addition, prosecutors should determine 
"whether the corporation has provided for a staff sufficient to audit, document, analyze, and 
utilize the results of the corporation's compliance efforts." JM 9-28.800. Prosecutors should also 
determine "whether the corporation's employees are adequately informed about the 
compliance program and are convinced of the corporation's commitment to it." JM 9-28.800; 
see also JM 9-47.120(2)(c) (criteria for an effective compliance program include "[t]he company's 
culture of compliance, including awareness among employees that any criminal conduct, 
including the conduct underlying the investigation, will not be tolerated"). 

A. Commitment by Senior and Middle Management 

Beyond compliance structures, policies, and procedures, it is important for a company to 
create and foster a culture of ethics and compliance with the law. The effectiveness of a 
compliance program requires a high-level commitment by company leadership to implement a 
culture of compliance from the top. 

The company's top leaders - the board of directors and executives - set the tone for the 
rest of the company. Prosecutors should examine the extent to which senior management have 
clearly articulated the company's ethical standards, conveyed and disseminated them in clear 
and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should 
also examine how middle management, in turn, have reinforced those standards and encouraged 
employees to abide by them. See U.S.S.G. § 8B2.1(b)(2)(A)-(C) (the company's "governing 
authority shall be knowledgeable about the content and operation of the compliance and ethics 
program and shall exercise reasonable oversight" of it; "[h]igh-levelpersonnel ... shall ensure that 
the organization has an effective compliance and ethics program" (emphasis added)). 

□ Conduct at the Top - How have senior leaders, through their words and actions, 
encouraged or discouraged compliance, including the type of misconduct involved in 
the investigation? What concrete actions have they taken to demonstrate leadership 
in the company's compliance and remediation efforts? How have they modelled 
proper behavior to subordinates? Have managers tolerated greater compliance risks 
in pursuit of new business or greater revenues? Have managers encouraged 
employees to act unethically to achieve a business objective, or impeded compliance 
personnel from effectively implementing their duties? 
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□ Shared Commitment - What actions have senior leaders and middle-management 
stakeholders (e.g., business and operational managers, finance, procurement, legal, 
human resources) taken to demonstrate their commitment to compliance or 
compliance personnel, including their remediation efforts? Have they persisted in 
that commitment in the face of competing interests or business objectives? 

□ Oversight - What compliance expertise has been available on the board of directors? 
Have the board of directors and/or external auditors held executive or private 
sessions with the compliance and control functions? What types of information have 
the board of directors and senior management examined in their exercise of oversight 
in the area in which the misconduct occurred? 

B. Autonomy and Resources 

Effective implementation also requires those charged with a compliance program's day- 
to-day oversight to act with adequate authority and stature. As a threshold matter, prosecutors 
should evaluate how the compliance program is structured. Additionally, prosecutors should 
address the sufficiency of the personnel and resources within the compliance function, in 
particular, whether those responsible for compliance have: (1) sufficient seniority within the 
organization; (2) sufficient resources, namely, staff to effectively undertake the requisite 
auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as 
direct access to the board of directors or the board's audit committee. The sufficiency of each 
factor, however, will depend on the size, structure, and risk profile of the particular company. "A 
large organization generally shall devote more formal operations and greater resources . . . than 
shall a small organization." Commentary to U.S.S.G. § 8B2.1 note 2(C). By contrast, "a small 
organization may [rely on] less formality and fewer resources." Id. Regardless, if a compliance 
program is to be truly effective, compliance personnel must be empowered within the company. 

Prosecutors should evaluate whether "internal audit functions [are] conducted at a level 
sufficient to ensure their independence and accuracy," as an indicator of whether compliance 
personnel are in fact empowered and positioned to "effectively detect and prevent misconduct." 
JM 9-28.800. Prosecutors should also evaluate "[t]he resources the company has dedicated to 
compliance," "[t]he quality and experience of the personnel involved in compliance, such that 
they can understand and identify the transactions and activities that pose a potential risk," and 
"[t]he authority and independence of the compliance function and the availability of compliance 
expertise to the board." JM 9-47.120(2)(c); see also JM 9-28.800 (instructing prosecutors to 
evaluate whether "the directors established an information and reporting system in the 
organization reasonably designed to provide management and directors with timely and accurate 
information sufficient to allow them to reach an informed decision regarding the organization's 
compliance with the law"); U.S.S.G. § 8B2.1(b)(2)(C) (those with "day-to-day operational 
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responsibility" shall have "adequate resources, appropriate authority and direct access to the 
governing authority or an appropriate subgroup of the governing authority"). 

□ Structure - Where within the company is the compliance function housed (e.g., within 
the legal department, under a business function, or as an independent function 
reporting to the CEO and/or board)? To whom does the compliance function report? 
Is the compliance function run by a designated chief compliance officer, or another 
executive within the company, and does that person have other roles within the 
company? Are compliance personnel dedicated to compliance responsibilities, or do 
they have other, non-compliance responsibilities within the company? Why has the 
company chosen the compliance structure it has in place? 

□ Seniority and Stature - How does the compliance function compare with other 
strategic functions in the company in terms of stature, compensation levels, 
rank/title, reporting line, resources, and access to key decision-makers? What has 
been the turnover rate for compliance and relevant control function personnel? 
What role has compliance played in the company's strategic and operational 
decisions? How has the company responded to specific instances where compliance 
raised concerns? Have there been transactions or deals that were stopped, modified, 
or further scrutinized as a result of compliance concerns? 

□ Experience and Qualifications - Do compliance and control personnel have the 
appropriate experience and qualifications for their roles and responsibilities? Has the 
level of experience and qualifications in these roles changed overtime? Who reviews 
the performance of the compliance function and what is the review process? 

□ Funding and Resources - Has there been sufficient staffing for compliance personnel 
to effectively audit, document, analyze, and act on the results of the compliance 
efforts? Has the company allocated sufficient funds for the same? Have there been 
times when requests for resources by compliance and control functions have been 
denied, and if so, on what grounds? 

□ Autonomy - Do the compliance and relevant control functions have direct reporting 
lines to anyone on the board of directors and/or audit committee? How often do they 
meet with directors? Are members of the senior management present for these 
meetings? How does the company ensure the independence of the compliance and 
control personnel? 
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□ Outsourced Compliance Functions - Has the company outsourced all or parts of its 
compliance functions to an external firm or consultant? If so, why, and who is 
responsible for overseeing or liaising with the external firm or consultant? What level 
of access does the external firm or consultant have to company information? How 
has the effectiveness of the outsourced process been assessed? 

C. Incentives and Disciplinary Measures 

Another hallmark of effective implementation of a compliance program is the 
establishment of incentives for compliance and disincentives for non-compliance. Prosecutors 
should assess whether the company has clear disciplinary procedures in place, enforces them 
consistently across the organization, and ensures that the procedures are commensurate with 
the violations. Prosecutors should also assess the extent to which the company's 
communications convey to its employees that unethical conduct will not be tolerated and will 
bring swift consequences, regardless of the position or title of the employee who engages in the 
conduct. See U.S.S.G. § 8B2.1(b)(5)(C) ("the organization's compliance program shall be 
promoted and enforced consistently throughout the organization through (A) appropriate 
incentives to perform in accordance with the compliance and ethics program; and (B) appropriate 
disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to 
prevent or detect criminal conduct"). 

By way of example, some companies have found that publicizing disciplinary actions 
internally, where appropriate, can have valuable deterrent effects. At the same time, some 
companies have also found that providing positive incentives - personnel promotions, rewards, 
and bonuses for improving and developing a compliance program or demonstrating ethical 
leadership - have driven compliance. Some companies have even made compliance a significant 
metric for management bonuses and/or have made working on compliance a means of career 
advancement. 

□ Human Resources Process - Who participates in making disciplinary decisions, 
including for the type of misconduct at issue? Is the same process followed for each 
instance of misconduct, and if not, why? Are the actual reasons for discipline 
communicated to employees? If not, why not? Are there legal or investigation-related 
reasons for restricting information, or have pre-textual reasons been provided to 
protect the company from whistleblowing or outside scrutiny? 

□ Consistent Application - Have disciplinary actions and incentives been fairly and 
consistently applied across the organization? Are there similar instances of 
misconduct that were treated disparately, and if so, why? 
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□ Incentive System - Has the company considered the implications of its incentives and 
rewards on compliance? How does the company incentivize compliance and ethical 
behavior? Have there been specific examples of actions taken (e.g., promotions or 
awards denied) as a result of compliance and ethics considerations? Who determines 
the compensation, including bonuses, as well as discipline and promotion of 
compliance personnel? 

III. Does the Corporation's Compliance Program Work in Practice? 

The Principles of Federal Prosecution of Business Organizations require prosecutors to 
assess "the adequacy and effectiveness of the corporation's compliance program at the time of 
the offense, as well as at the time of a charging decision." JM 9-28.300. Due to the backward¬ 
looking nature of the first inquiry, one of the most difficult questions prosecutors must answer 
in evaluating a compliance program following misconduct is whether the program was working 
effectively at the time of the offense, especially where the misconduct was not immediately 
detected. 

In answering this question, it is important to note that the existence of misconduct does 
not, by itself, mean that a compliance program did not work or was ineffective at the time of the 
offense. See U.S.S.G. § 8B2.1(a) ("[t]he failure to prevent or detect the instant offense does not 
mean that the program is not generally effective in preventing and deterring misconduct"). 
Indeed, "[t]he Department recognizes that no compliance program can ever prevent all criminal 
activity by a corporation's employees." JM 9-28.800. Of course, if a compliance program did 
effectively identify misconduct, including allowing for timely remediation and self-reporting, a 
prosecutor should view the occurrence as a strong indicator that the compliance program was 
working effectively. 

In assessing whether a company's compliance program was effective at the time of the 
misconduct, prosecutors should consider whether and how the misconduct was detected, what 
investigation resources were in place to investigate suspected misconduct, and the nature and 
thoroughness of the company's remedial efforts. 

To determine whether a company's compliance program is working effectively at the time 
of a charging decision or resolution, prosecutors should consider whether the program evolved 
over time to address existing and changing compliance risks. Prosecutors should also consider 
whether the company undertook an adequate and honest root cause analysis to understand both 
what contributed to the misconduct and the degree of remediation needed to prevent similar 
events in the future. 

For example, prosecutors should consider, among other factors, "whether the 
corporation has made significant investments in, and improvements to, its corporate compliance 
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program and internal controls systems" and "whether remedial improvements to the compliance 
program and internal controls have been tested to demonstrate that they would prevent or 
detect similar misconduct in the future." Benczkowski Memo at 2 (observing that "[w]here a 
corporation's compliance program and controls are demonstrated to be effective and 
appropriately resourced at the time of resolution, a monitor will not likely be necessary"). 

A. Continuous Improvement, Periodic Testing, and Review 

One hallmark of an effective compliance program is its capacity to improve and evolve. 
The actual implementation of controls in practice will necessarily reveal areas of risk and 
potential adjustment. A company's business changes over time, as do the environments in which 
it operates, the nature of its customers, the laws that govern its actions, and the applicable 
industry standards. Accordingly, prosecutors should consider whether the company has engaged 
in meaningful efforts to review its compliance program and ensure that it is not stale. Some 
companies survey employees to gauge the compliance culture and evaluate the strength of 
controls, and/or conduct periodic audits to ensure that controls are functioning well, though the 
nature and frequency of evaluations may depend on the company's size and complexity. 

Prosecutors may reward efforts to promote improvement and sustainability. In evaluating 
whether a particular compliance program works in practice, prosecutors should consider 
"revisions to corporate compliance programs in light of lessons learned." JM 9-28.800; see also 
JM 9-47-120(2)(c) (looking to "[t]he auditing of the compliance program to assure its 
effectiveness"). Prosecutors should likewise look to whether a company has taken "reasonable 
steps" to "ensure that the organization's compliance and ethics program is followed, including 
monitoring and auditing to detect criminal conduct," and "evaluate periodically the effectiveness 
of the organization's" program. U.S.S.G. § 8B2.1(b)(5). Proactive efforts like these may not only 
be rewarded in connection with the form of any resolution or prosecution (such as through 
remediation credit or a lower applicable fine range under the Sentencing Guidelines), but more 
importantly, may avert problems down the line. 

□ Internal Audit - What is the process for determining where and how frequently 
internal audit will undertake an audit, and what is the rationale behind that process? 
How are audits carried out? What types of audits would have identified issues 
relevant to the misconduct? Did those audits occur and what were the findings? 
What types of relevant audit findings and remediation progress have been reported 
to management and the board on a regular basis? How have management and the 
board followed up? How often does internal audit conduct assessments in high-risk 
areas? 
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□ Control Testing - Has the company reviewed and audited its compliance program in 
the area relating to the misconduct? More generally, what testing of controls, 
collection and analysis of compliance data, and interviews of employees and third- 
parties does the company undertake? How are the results reported and action items 
tracked? 

□ Evolving Updates - How often has the company updated its risk assessments and 
reviewed its compliance policies, procedures, and practices? Has the company 
undertaken a gap analysis to determine if particular areas of risk are not sufficiently 
addressed in its policies, controls, or training? What steps has the company taken to 
determine whether policies/procedures/practices make sense for particular business 
segments/subsidiaries? 

□ Culture of Compliance - How often and how does the company measure its culture 
of compliance? Does the company seek input from all levels of employees to 
determine whether they perceive senior and middle management's commitment to 
compliance? What steps has the company taken in response to its measurement of 
the compliance culture? 

B. Investigation of Misconduct 

Another hallmark of a compliance program that is working effectively is the existence of 
a well-functioning and appropriately funded mechanism for the timely and thorough 
investigations of any allegations or suspicions of misconduct by the company, its employees, or 
agents. An effective investigations structure will also have an established means of documenting 
the company's response, including any disciplinary or remediation measures taken. 

□ Properly Scoped Investigation by Qualified Personnel - How has the company 
ensured that the investigations have been properly scoped, and were independent, 
objective, appropriately conducted, and properly documented? 

□ Response to Investigations - Have the company's investigations been used to identify 
root causes, system vulnerabilities, and accountability lapses, including among 
supervisory manager and senior executives? What has been the process for 
responding to investigative findings? How high up in the company do investigative 
findings go? 
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C. Analysis and Remediation of Any Underlying Misconduct 

Finally, a hallmark of a compliance program that is working effectively in practice is the 
extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and 
timely and appropriately remediate to address the root causes. 

Prosecutors evaluating the effectiveness of a compliance program are instructed to 
reflect back on "the extent and pervasiveness of the criminal misconduct; the number and level 
of the corporate employees involved; the seriousness, duration, and frequency of the 
misconduct; and any remedial actions taken by the corporation, including, for example, 
disciplinary action against past violators uncovered by the prior compliance program, and 
revisions to corporate compliance programs in light of lessons learned." JM 9-28.800; see also 
JM 9-47.120(3)(c) ("to receive full credit for timely and appropriate remediation" under the FCPA 
Corporate Enforcement Policy, a company should demonstrate "a root cause analysis" and, 
where appropriate, "remediation to address the root causes"). 

Prosecutors should consider "any remedial actions taken by the corporation, including, 
for example, disciplinary action against past violators uncovered by the prior compliance 
program." JM 98-28.800; see also JM 9-47-120(2)(c) (looking to "[appropriate discipline of 
employees, including those identified by the company as responsible for the misconduct, either 
through direct participation or failure in oversight, as well as those with supervisory authority 
over the area in which the criminal conduct occurred" and "any additional steps that 
demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for 
it, and the implementation of measures to reduce the risk of repetition of such misconduct, 
including measures to identify future risk"). 

□ Root Cause Analysis - What is the company's root cause analysis of the misconduct 
at issue? Were any systemic issues identified? Who in the company was involved in 
making the analysis? 

□ Prior Weaknesses - What controls failed? If policies or procedures should have 
prohibited the misconduct, were they effectively implemented, and have functions 
that had ownership of these policies and procedures been held accountable? 

□ Payment Systems - Flow was the misconduct in question funded (e.g., purchase 
orders, employee reimbursements, discounts, petty cash)? What processes could 
have prevented or detected improper access to these funds? Flave those processes 
been improved? 
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□ Vendor Management - If vendors were involved in the misconduct, what was the 
process for vendor selection and did the vendor undergo that process? 

□ Prior Indications - Were there prior opportunities to detect the misconduct in 
question, such as audit reports identifying relevant control failures or allegations, 
complaints, or investigations? What is the company's analysis of why such 
opportunities were missed? 

□ Remediation - What specific changes has the company made to reduce the risk that 
the same or similar issues will not occur in the future? What specific remediation has 
addressed the issues identified in the root cause and missed opportunity analysis? 

□ Accountability - What disciplinary actions did the company take in response to the 
misconduct and were they timely? Were managers held accountable for misconduct 
that occurred under their supervision? Did the company consider disciplinary actions 
for failures in supervision? What is the company's record (e.g., number and types of 
disciplinary actions) on employee discipline relating to the types of conduct at issue? 
Has the company ever terminated or otherwise disciplined anyone (reduced or 
eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue? 


1 Many of the topics also appear in the following resources: 

• Justice Manual ("JM") 

o JM 9-28.000 Principles of Federal Prosecution of Business Organizations, Justice 
Manual ("JM"), available at https://www.iustice.gov/im/im-9-28000-principles- 
federal-prosecution-business-organizations . 

o JM 9-47.120 FCPA Corporate Enforcement Policy, available at 
https://www.iustice.gov/im/im-9-47000-foreign-corrupt-practices-act-1977#9- 
47.120. 

• Chapter 8 - Sentencing of Organizations - United States Sentencing Guidelines 
("U.S.S.G."), available at https://www.ussc.gov/guidelines/2018-guidelines- 
manual/2018-chapter-8#NaN. 
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• Memorandum entitled "Selection of Monitors in Criminal Division Matters," issued by 
Assistant Attorney General Brian Benczkowski on October 11, 2018, available at 
https://www.iustice.gov/criminal-fraud/file/1100366/download . 

• Criminal Division corporate resolution agreements, available at 
https://www.justice.gov/news (DOJ's Public Affairs website contains press releases for 
all Criminal Division corporate resolutions which contain links to charging documents and 
agreements). 

• A Resource Guide to the U.S. Foreign Corrupt Practices Act ("FCPA Guide") published in 
November 2012 by the Department of Justice (DOJ) and the Securities and Exchange 
Commission (SEC) available at https://www.iustice.gov/sites/default/files/criminal- 
fraud/legacy/2015/01/16/guide.pdf . 

• Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the 
Organization for Economic Co-operation and Development ("OECD") Council on February 
18, 2010 available at https://www.oecd.org/daf/anti-bribery/44884389.pdf . 

• Anti-Corruption Ethics and Compliance Flandbook for Business ("OECD Flandbook") 

published in 2013 by OECD, United Nations Office on Drugs and Crime, and the World 
Bank available at https://www.oecd.org/corruption/Anti- 

CorruptionEthicsComplianceFlandbook.pdf . 


2 As discussed in the Justice Manual, many companies operate in complex regulatory 
environments outside the normal experience of criminal prosecutors. JM 9-28.000. For example, 
financial institutions such as banks, subject to the Bank Secrecy Act statute and regulations, 
require prosecutors to conduct specialized analyses of their compliance programs in the context 
of their anti-money laundering requirements. Consultation with the Money Laundering and 
Asset Recovery Section is recommended when reviewing AML compliance. See 
https://www.justice.gov/criminal-mlars . Prosecutors may also wish to review guidance 
published by relevant federal and state agencies. See Federal Financial Institutions Examination 
Council/Bank Secrecy Act/Anti-Money Laundering Examination Manual, available 
at https://www.ffiec.gov/bsa ami infobase/pages manual/manual online.htm) . 
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